[cryptome] Re: FOIPA adventures

I like it...:-). Nice set of arguments. Will look forward with interest
to the reply...:-).
ATB
Dougie.

On 10/12/2015 11:54, coderman wrote:

On 12/9/15, coderman <coderman@xxxxxxxxx> wrote:

a most recent Glomar:

"Disclosure timeline and decision making rationale for disclosure of
vulnerability MS14-066 / CVE-2014-6321 - "Vulnerability in Schannel
Could Allow Remote Code Execution (2992611)" to Microsoft Corporation
as part of the Vulnerabilities Equities Process. Please include
timeline for initial discovery with source of discovery, first
operational use, and finally, date for vendor notification."
-https://www.muckrock.com/foi/united-states-of-america-10/discloseddisgustagency-22289/

reply(appeal):
'''
I reject and demand appeal of your rejection of this request.

First and foremost, please recognize that the GSF Explorer, formerly
USNS Hughes Glomar Explorer (T-AG-193), for which this Glomar response
is so named, was a purely military operation, using custom-built
military equipment, on an exceptionally sensitive military mission to
recover military equipment. Observe that the "Vulnerabilities Equities
Process" is a public outreach activity communicating with third party
partners, acting in the public interest regarding software used by
public citizens and business alike - a scenario at opposite ends and
means from which this denial blindly overreaches.

Second, observe that existing precedent supports the release of
materials responsive to this request. In American Civil Liberties
Union v. Department of Defense Case No: 04-CV-4151 (ACLU v. DoD) the
courts have affirmed the public interest as compelling argument for
favoring the public interest against clearly military efforts. The
Glomar denial should be well targeted; this targeted falls well
outside of the the "Vulnerabilities Equities Process", which is a
public outreach activity communicating with third party partners,
acting in the public interest, regarding software used by public
citizens and business alike.

Third, consider that it is a well established technique in the
information security industry to identify the origin and nature of a
defect discovery and disclosure timeline. This information is used for
myriad of secondary research, analysis, and automation efforts
spanning numerous industries. The utility of of disclosure timeline
information and context has decades of rich support and strong
evidence of public interest benefit, particularly regarding long
reported and fixed defects, such as this one, which has patches
available for over a year.

Fourth, observe that every hour of expert opinion coupled with legal
review amounts to a non-trivial expenditure of hours which are a sunk,
throw away cost of FOIA communication. While as a taxpayer I
appreciate the service of FOIA professionals such as those involved in
this request, who provide tireless effort the all hundreds of millions
of US citizens, my personal cost should be recognized. For this reason
a deference in favor of public interest and disclosure is well
supported for this request regarding the "Vulnerabilities Equities
Process", which is a public outreach activity communicating with third
party partners, acting in the public interest, regarding software used
by public citizens and business alike.